Beware Wake-Up Call from Password Guesser

Share

Beware Wake-Up Call from Password Guesser

Newbies who pick obvious or weak passwords for their Net accounts are opening themselves up to a possible "nastygram" courtesy of the latest release of a password-guessing program used by both computer security professionals and recreational crackers.

Crack v5.0a is designed to locate insecurities in Unix password files by running combinations of dictionary words as well as number-and-letter combinations on encrypted files until something clicks. When that happens, the event is logged, or the program can be configured to send an advisory email to the user. Either that, or the user may find her or his account maliciously hacked.

As is the case with every security program ever released, including the infamous Satan in 1995, Crack v5.0a caused some concern among security professionals on Usenet groups and mailing lists. However, the tool has been available and used by hackers since the first version was released in July 1991.

"Even though Crack has been around for five years, it is still a relevant tool as users will always pick simple-to-guess-passwords," said Elias Levy, moderator of the security mailing list BugTraq and maintainer of the security site underground.org.